Risk Register Tool Template

NCHRP 08-36 (TASK 126): RISK REGISTER TOOL - Template
NCHRP 08-36 (TASK 126): RISK REGISTER TOOL
NCHRP 08-36, Task 126

Development of a Risk Register Spreadsheet Tool
Risk Register Tool Template
Requested by:
American Association of State Highway and Transportation Officials (AASHTO) Standing Committee on Planning
Prepared by:
WSP | Parsons Brinckerhoff
John Patrick (J.P.) O'Har, Ph.D.

Christopher Senesi
in conjunction with Independent Contractor Keith R. Molenaar, Ph.D.
New York, NY
July 2016
The information contained in this tool was prepared as part of National Cooperative Highway Research Program (NCHRP) Project 08-36, Task 126 Development of a Risk Register Spreadsheet
Tool.
Special Note: This tool IS NOT an official publication of the NCHRP, the Transportation Research Board or the National Academies.
The opinions and conclusions expressed or implied are those of the research agency that performed the research and are not necessarily those of the Transportation Research Board or its
sponsoring agencies. This tool has not been reviewed or accepted by the Transportation Research Board Executive Committee or the Governing Board of the National Research Council.
WSP | Parsons Brinckerhoff Overview: 1 of 26 July 2016

TEMPLATE VS. EXAMPLES
This is a blank, editable version (template) of the risk register tool. Before entering risks into the tool, the agency should: a) determine whether or not
this will be an enterprise-level risk register or a program-level risk register and b) populate the "Categories & Rating" sheet. The user should refer to
the example "Enterprise" and/or "Program" risk register(s) to see how to properly populate the "Categories & Rating" sheet; further, the agency is
free to use the verbiage from the example(s) for its risk register. Once the "Categories & Rating" sheet is populated, the agency can move forward in
using the risk register by populating the remaining input sheets.
WSP | Parsons Brinckerhoff Example Context: 2 of 26 July 2016

INSTRUCTIONS
Overview
The risk register is a spreadsheet-based tool used for identifying, analyzing, and monitoring enterprise or program-level risk. The tool provides a
complete risk register that can be modified for user-added preferences or additional information.
The risk register can be used to support a risk management process consistent with industry best practices, the ISO 31000 standard, and the NCHRP
08-93 Enterprise Risk Management Guide. The tool mirrors the core risk management steps, including risk identification, risk analysis, risk evaluation,
and risk management/treatment. For this tool, risk evaluation is included as part of risk analysis.
This version of the risk register is designed for threats and not for opportunities. The tool can be adapted by the user to be used as a register for
opportunities.
Enterprise vs. Program

The risk register tool can be used for either enterprise or program risk management. When completing the first input sheet, "Categories & Rating",
the user should determine whether this tool will be used for enterprise or program-level risk management. The tool cannot be used for both
enterprise and program risk management at the same time. The user should create a copy of the template and designate one copy as enterprise and
one copy as program.
How to use the Risk Register

The risk register is made up of various sheets, divided into one of three categories: reference (REF), input (INPUT), and output (OUTPUT). The user
should only enter in information on the input sheets. In order to populate the final risk register (Summary sheet), the user must complete these four
input sheets as fully as possible. When completing each sheet, enter data from left to right. Output sheets are generated automatically and do not
require user input. Reference sheets are purely informational and provide supporting details on using this risk register tool.
Data is entered in each cell in one of three ways: 1) manually (users input information), 2) using a drop-down list (users select from a pre-populated
list of choices), and 3) auto-population (users do not enter data in these cells, information is populated on the basis of data entered previously).
Columns are marked with the input method.
Risk Register Sheets

Below is a list of each sheet in the risk register tool, along with a brief description.
REF - Instructions Provides necessary instructions and definitions for the risk register tool. The sheet serves as a reference
and requires no input.
Identifies the risk categories and respective impact and likelihood/probability definitions. Values are
INPUT - Categories & Rating used to calculate the risk rating and heat map. Risk categories, impact ratings/definitions, and likelihood
ratings/definitions are entered by the user.
Identify the risks. First enter risks on this sheet, including date identified, risk description, and category
INPUT - Identification of impact.
INPUT - Analysis Analyze the risks. Rate the likelihood of occurrence and level of impact of the risks (pre-mitigated risk
ranking). Reference the "Categories & Rating" sheet for guidance when rating risks.
Manage the risks. Identify response strategies, assign key individuals, and note potential trigger events.
INPUT - Management Re-rank the risks' likelihood and impact, based on the controls and response strategies (post-mitigated
risk rating).
OUTPUT - Risk Register Final risk register, based on the previous INPUT sheets.
Pre-mitigated and post-mitigated heat maps, identifying the number of risks in each impact/likelihood
OUTPUT - Heat Maps
scenario.
WSP | Parsons Brinckerhoff Instructions: 3 of 26 July 2016

INSTRUCTIONS
OUTPUT - Risk Summary Pre-mitigated and post-mitigated risk summary, identifying each risk and its resulting risk rating.
REF - Glossary Collection of common risk management terms, including terms used in this tool.
REF - FAQs List of Frequently Asked Questions around risk management and the use of this tool.
Tool Usability/Editing Note

Usability:
Risk management is a comprehensive and time-sensitive process. Although the tool is built to industry best practice and ISO 31000 standards, use of
this tool does not constitute formal enterprise and/or program-level risk management. Formal risk management includes greater involvement
beyond the use of a risk register, such as training, executive-level support/commitment, and employee buy-in. This risk register tool should only be
used as a decision support tool when implementing formal enterprise and program-level risk management.
Editing:
The tool, although it does not contain macros, contains various formulas on the input and output sheets that are required to properly populate the
risk register. Therefore, the tool has been locked and is not editable; however, the tool is not password-protected. The user can unlock the risk
register at anytime, but by unlocking the sheet, the tool creators cannot guarantee the tool will continue to function as it was intended.

RISK CATEGORIES & RATING MATRIX

Risk Categories // Impact Areas Likelihood Ranges & Risk Ratings (Low, Medium, High, Critical)
Rare Unlikely Possible Likely Almost Certain
Qualitative Description of Qualitative Description of Qualitative Description of Qualitative Description of Qualitative Description of
Likelihood Likelihood Likelihood Likelihood Likelihood
(User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated)
Risk Category Risk Category Risk Category Risk Category Risk Category Risk Category Risk Category Risk Category
(User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated)
Quantitative Description of Quantitative Description of Quantitative Description of Quantitative Description of Quantitative Description of
Likelihood Likelihood Likelihood Likelihood Likelihood
(User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated)
Key
Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact [Suggested Text: Requires intervention from executive
(User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) management; requires prompt action to implement new enterprise
or program level controls to treat the risk.]
Critical
Severe
Medium Medium High Critical Critical [Suggested Text: Affects the ability of the agency to carry out its
mission or strategic plan - existing controls may be effective but
could require additional action and/or controls to be managed at
High the executive management level.]
Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact [Suggested Text: Impacts completion of a critical agency function -
(User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) (User-Generated) existing controls must be effective and possible additional actions
may need to be implemented.]
Medium
Impact Levels
Major
Low Medium High Critical Critical [Suggested Text: Managed with current practices and procedures -
impacts are dealt with by routine operations which should be
monitored for effectiveness.]
Low
Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact Description of Impact
Moderate
Low Medium Medium High High
Minor
Low Low Medium Medium Medium
Insignificant
Low Low Low Low Medium
WSP | Parsons Brinckerhoff Risk Categories and Rating: 5 of 26 July 2016

RISK IDENTIFICATION
ID Date Identified Brief Risk Description Detailed Risk Statement Risk Category
Manual
Manual Manual Manual Drop Down
(MM/DD/YY)
WSP | Parsons Brinckerhoff Identification: 6 of 26 July 2016

RISK IDENTIFICATION
Manual
(MM/DD/YY)

RISK IDENTIFICATION
Manual
(MM/DD/YY)

RISK IDENTIFICATION
Manual
(MM/DD/YY)

RISK IDENTIFICATION
Manual
(MM/DD/YY)

RISK ANALYSIS
ID Brief Risk Description Risk Category Impact Likelihood Risk Rating
Auto Auto Auto Drop Down Drop Down Auto
WSP | Parsons Brinckerhoff Analysis: 11 of 26 July 2016

RISK ANALYSIS

RISK ANALYSIS

RISK ANALYSIS

RISK ANALYSIS

RISK MANAGEMENT
Monitoring & Updating Post-Treatment Risk Rating
Response Responsible
ID Brief Risk Description Risk Category Response Action/Strategy Description
Action/Strategy Individual Trigger Event(s) Status Risk Resolution Date Impact Likelihood Risk Rating
Manual
Auto Auto Auto Drop Down Manual Manual Manual Drop Down Drop Down Drop Down Auto
(MM/DD/YY)
WSP | Parsons Brinckerhoff Management: 16 of 26 July 2016

RISK MANAGEMENT
Manual
(MM/DD/YY)

RISK MANAGEMENT
Manual
(MM/DD/YY)

RISK REGISTER
RISK IDENTIFICATION RISK ANALYSIS RISK MANAGEMENT
Monitoring & Updating
Response Responsible Post-Treatment Risk
ID Date Identified Brief Risk Description Detailed Risk Statement Risk Category Pre-Treatment Risk Rating Response Action/Strategy Description
Action/Strategy Individual Trigger Event(s) Status Risk Resolution Date Rating
WSP | Parsons Brinckerhoff Risk Register: 19 of 26 July 2016

RISK REGISTER

RISK REGISTER

HEAT MAPS
Pre-Treatment Heat Map Post-Treatment Heat Map

# of risks per each impact/likelihood scenario # of risks per each impact/likelihood scenario
Severe Severe
Totals Totals
Critical Critical
Major
Risks 0 Major
Risks 0
Impact Moderate High Risks 0 Impact Moderate High Risks 0
Medium Medium
Minor
Risks 0 Minor
Risks 0
Insignificant Low Risks 0 Insignificant Low Risks 0
0 0
Rare Unlikely Possible Likely Almost Rare Unlikely Possible Likely Almost
Certain Certain
Risk Heat Map Risk Heat Map
Likelihood Likelihood
WSP | Parsons Brinckerhoff Heat Maps: 22 of 26 July 2016

RISK SUMMARY
Pre-Treatment Risk Summary Post-Treatment Risk Summary
Count IDs of Risks Involved Count IDs of Risks Involved
Critical Critical
0 0
Risks Risks
High Risks 0 High Risks 0
Medium Medium
Risks 0 Risks 0
Low Risks 0 Low Risks 0
0 0

GLOSSARY
Consequence / Impact Outcome of an event affecting objectives.
The consistent application of techniques to manage the uncertainties surrounding the achievement of an
Enterprise Risk Management organization’s objectives. May include risks related to planning, investment management, public outreach,
human resources, and other aspects of the organization that are not tied to a specific project or program of
projects but still affects the achievement of strategic objectives.
Likelihood / Probability A measure of how likely a condition or event is to occur. It ranges from 0 to 100 percent (or 0.00 to 1.00).
Opportunity Uncertainty with a positive impact. A possible event that results in a benefit.
Post-Treatment Risk Rating Also known as residual risk or retained risk, a quantitative or qualitative value based on the likelihood/probability
of impact and the level of impact, after a risk response option is considered.
A quantitative or qualitative value based on the probability of impact and the level of impact, with no risk
Pre-Treatment Risk Rating response option considered.
Program Risk Management The consistent application of techniques to manage the uncertainties surrounding a portfolio/suite of similar
projects.
Risk An uncertain event or condition that, if it occurs, has a negative or positive effect on an organization's, program's
or project’s objectives.
Risk Analysis A component of risk management that bridges risk identification and risk monitoring in support of risk allocation.
Risk analysis involves the quantitative or qualitative analysis that assesses impact and probability of a risk.
Risk Category A way to classify risks based on potential impacts.
Recording, maintaining, and reporting assessments, handling analysis and plans, and monitoring results. It
Risk Documentation includes all plans, reports for senior leaders and decision authorities, and reporting forms that may be internal to
the agency.
Risk Event A discrete occurrence that may affect the agency for better or worse.
Risk Heat Map A tool used to visually and concisely present the likelihood and impact of multiple risks.
Risk ID An assigned number to help easily and uniquely identify the risk.
Risk Identification Determining which risks might affect the agency and documenting their characteristics.
Risk Management Plan A document detailing how risk response options and the overall risk processes will be carried out during the year.
This is the output of Risk Planning.
Risk Model The translation of selected risks into a mathematical model for purposes of performing a quantitative risk analysis.
Risk Planning Analyzing risk response options (Acceptance, Avoidance, Mitigation, or Transference) and deciding how to
approach and plan risk management activities.
Risk Rating A quantitative or qualitative value based on the likelihood/probability of impact and the level of impact.
Risk Register A document detailing all identified risks, including description, cause, likelihood/probability of occurring,
impact(s) on objectives, proposed responses, cost to mitigate, remaining exposure, owners, and current status.
Risk Resolution Date Date by when the risk must be resolved.
Risk Response Options Various ways to address risks including take advantage, terminate, tolerate, transfer, and treat a risk.
WSP | Parsons Brinckerhoff Glossary: 24 of 26 July 2016

GLOSSARY
Risk Response: Take When the risk's potential upside exceeds the likelihood of its negative consequences, the agency can choose to
Advantage "take advantage" of the risk, monitoring the risk appropriately.
Risk Response: Terminate A risk response option that results in terminating the risk by stopping a practice or eliminating the source of the
risk.
Accepting the risk and providing regular monitoring or treatment of the risk. Typical reasons for selecting this risk
Risk Response: Tolerate response option might be because the chance of occurrence is unlikely, the risk impact is low, or the risk is
outside of agency control.
This risk response option seeks to shift the impact of a risk to a third party together with ownership of the
Risk Response: Transfer response. Transferring risk is common in the private sector, but less so in the public sector. The most common
way to transfer risk is through insurance.
Risk Response: Treat If treatment is possible and its benefits outweigh its costs, the agency could decide to act on and mitigate the risk.
Risk Statement An actionable statement that describes a risk event —a situation that exists or may come to exist—as well as the
possible negative consequence.
Threat Uncertainty with a presumed negative impact. A possible event that results in an adverse consequence.
WSP | Parsons Brinckerhoff Glossary: 25 of 26 July 2016

FREQUENTLY ASKED QUESTIONS
1 How do you write a proper risk statement?
Each risk should have its own, unique risk statement. The statement should consist of a defined event and the impact resulting from the event.
The statement should be concise but comprehensive. There are various formats to a risk statement but one of the more popular and
recommended formats is the if/then format:
“If <RISK EVENT> happens, then <CONSEQUENCE> will happen to <WHOM>, causing a/an <IMPACT> of <RESULT>.”
2 How does the impact and likelihood of a risk (the risk rating) influence how I should respond to that risk?
The risk rating is based on the impact and likelihood score, as defined by the user, and is the result of multiplying the two scores together. The
rating is used to prioritize the risks, the higher the score, the greater the impact caused by the risk. This simple formula can help your agency
rank the risks and focus on the risks that are either a) more likely to occur or b) will cause the most impact to the agency or program. Please
refer to NCHRP 08-93: Managing Risk Across the Enterprise: A Guide for State Departments of Transportation for additional guidance on
developing risk response strategies.
3 How is the risk register integrated with my risk response strategies and actions?
Within the risk register, under the 'INPUT - Management' sheet, the user identifies an appropriate response action/strategy for each risk. This
is an overarching response action/strategy and should serve as a starting point for a detailed risk response plan. For each risk, or for a group of
risks, one should develop a risk response plan. The plan will provide further details on the risk(s), the response strategy and specific action
steps that should be taken to address the risk(s). Further, the plan should identify who is responsible for each action step and when these steps
should be addressed.
4 How do I determine my agency's risk categories, either at the enterprise or program-level?
Risk categories are specific to each agency and typically relate back to the agency's strategic goals (at the enterprise-level) or their program
goals (at the program-level). As part of this NCHRP Project, the research team identified sample risk categories at the enterprise-level. These
enterprise-level categories are identified in the Enterprise-level Example, on the Risk Rating Categories & Rating sheet. Further, the Program-
level Example identifies common program-level risk categories for a typical asset management program. It is the responsibility of the agency to
determine which risk categories it should use. If an agency is unsure of what categories to use, the agency should start with the risk categories
in the Enterprise-level Example and expand on the categories, as needed. The final project report also contains illustrative listings of enterprise
and program-level risk categories based on the research conducted to develop this tool.
5 Can I use this register/tool to assess opportunities, in addition to threats?
This tool was specifically designed to assess threats (and not opportunities) at the enterprise and program-levels. Assessing opportunity is
becoming more popular and as an agency advances its risk management program, it is recommended practice. Although the tool is designed
for assessing risks, with some minor changes, the tool can become an "Opportunity Register". However, there is no guidance provided in
making the required changes and it is the responsibility of the user to make the appropriate changes. Using the tool both as a Threat Risk
Register and Opportunity Register simultaneously is not recommended (the user should create two separate files, one for threats and one for
opportunities).
WSP | Parsons Brinckerhoff FAQs: 26 of 26 July 2016

Risk Register Tool Template

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Register Tool Template

Uploaded by

Copyright:

Available Formats

NCHRP 08-36 (TASK 126): RISK REGISTER TOOL - Template

NCHRP 08-36 (TASK 126): RISK REGISTER TOOL

NCHRP 08-36, Task 126

Risk Register Tool Template

John Patrick (J.P.) O'Har, Ph.D.

WSP | Parsons Brinckerhoff Overview: 1 of 26 July 2016

TEMPLATE VS. EXAMPLES

WSP | Parsons Brinckerhoff Example Context: 2 of 26 July 2016

Enterprise vs. Program

How to use the Risk Register

Risk Register Sheets

WSP | Parsons Brinckerhoff Instructions: 3 of 26 July 2016

Tool Usability/Editing Note

WSP | Parsons Brinckerhoff Instructions: 4 of 26 July 2016

RISK CATEGORIES & RATING MATRIX

Low Medium Medium High High

Low Low Medium Medium Medium

Low Low Low Low Medium

WSP | Parsons Brinckerhoff Risk Categories and Rating: 5 of 26 July 2016

WSP | Parsons Brinckerhoff Identification: 6 of 26 July 2016

WSP | Parsons Brinckerhoff Identification: 7 of 26 July 2016

WSP | Parsons Brinckerhoff Identification: 8 of 26 July 2016

WSP | Parsons Brinckerhoff Identification: 9 of 26 July 2016

WSP | Parsons Brinckerhoff Identification: 10 of 26 July 2016

ID Brief Risk Description Risk Category Impact Likelihood Risk Rating

Auto Auto Auto Drop Down Drop Down Auto

WSP | Parsons Brinckerhoff Analysis: 11 of 26 July 2016

ID Brief Risk Description Risk Category Impact Likelihood Risk Rating

Auto Auto Auto Drop Down Drop Down Auto

WSP | Parsons Brinckerhoff Analysis: 12 of 26 July 2016

ID Brief Risk Description Risk Category Impact Likelihood Risk Rating

Auto Auto Auto Drop Down Drop Down Auto

WSP | Parsons Brinckerhoff Analysis: 13 of 26 July 2016

ID Brief Risk Description Risk Category Impact Likelihood Risk Rating

Auto Auto Auto Drop Down Drop Down Auto

WSP | Parsons Brinckerhoff Analysis: 14 of 26 July 2016

ID Brief Risk Description Risk Category Impact Likelihood Risk Rating

Auto Auto Auto Drop Down Drop Down Auto

WSP | Parsons Brinckerhoff Analysis: 15 of 26 July 2016

WSP | Parsons Brinckerhoff Management: 16 of 26 July 2016

WSP | Parsons Brinckerhoff Management: 17 of 26 July 2016

WSP | Parsons Brinckerhoff Management: 18 of 26 July 2016

WSP | Parsons Brinckerhoff Risk Register: 19 of 26 July 2016

WSP | Parsons Brinckerhoff Risk Register: 20 of 26 July 2016

WSP | Parsons Brinckerhoff Risk Register: 21 of 26 July 2016

Pre-Treatment Heat Map Post-Treatment Heat Map

Impact Moderate High Risks 0 Impact Moderate High Risks 0

Insignificant Low Risks 0 Insignificant Low Risks 0

WSP | Parsons Brinckerhoff Heat Maps: 22 of 26 July 2016

Pre-Treatment Risk Summary Post-Treatment Risk Summary

Count IDs of Risks Involved Count IDs of Risks Involved

High Risks 0 High Risks 0

Low Risks 0 Low Risks 0

WSP | Parsons Brinckerhoff Instructions: 23 of 26 July 2016

Consequence / Impact Outcome of an event affecting objectives.

Risk Category A way to classify risks based on potential impacts.

Risk Resolution Date Date by when the risk must be resolved.

WSP | Parsons Brinckerhoff Glossary: 24 of 26 July 2016

WSP | Parsons Brinckerhoff Glossary: 25 of 26 July 2016

FREQUENTLY ASKED QUESTIONS

1 How do you write a proper risk statement?

4 How do I determine my agency's risk categories, either at the enterprise or program-level?

5 Can I use this register/tool to assess opportunities, in addition to threats?